[Full-Disclosure] PHP-Nuke mail CRLF Injection vulnerabilities

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 12/20/02

• Next message: please_reply_to_security@caldera.com: "[Full-Disclosure] Security Update: [CSSA-2002-059.0] Linux: multiple vulnerabilities in BIND (CERT CA-2002-31)"
• Previous message: Michal Zalewski: "[Full-Disclosure] [RAZOR] Problems with mkstemp()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ulfh@update.uu.se (Ulf Harnhammar)
Date: Fri, 20 Dec 2002 11:32:21 +0100 (CET)

This is a multi-part message in MIME format.

----PTCP_7487f58400016407d2
Content-Type: TEXT/PLAIN;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

PHP-Nuke mail CRLF Injection vulnerabilities

PROGRAM: PHP-Nuke
VENDOR: Fransisco Burzi et al.
HOMEPAGE: http://phpnuke.org/
VULNERABLE VERSIONS: 6.0 (the only supported version)
IMMUNE VERSIONS: 6.0 with my patch applied
LOGIN REQUIRED: no

DESCRIPTION:

"PHP-Nuke is a Web portal and online community system which
includes Web-based administration, surveys, access statistics,
user customizable boxes, a themes manager for registered users,
friendly administration GUI with graphic topic manager, the
ability to edit or delete stories, an option to delete comments,
a moderation system, referer tracking, integrated banner ad system,
search engine, backend/headlines generation (RSS/RDF format), Web
directory like Yahoo, events manager, and support for 20+ languages."

(direct quote from the program's project page at Freshmeat)

PHP-Nuke is published under the terms of the GNU General Public
License. It is a very popular program with lots and lots of
installations. It is included as one of the packages in Debian
GNU/Linux and one of FreeBSD's ports.

Despite all this, the program has a bad reputation regarding
security matters.

SUMMARY:

PHP-Nuke has got four functions that allow restricted sending of
e-mails: Feedback, Recommend Us, Send (news item) to a Friend and
Send this Journal to a Friend. They either restrict who you can send
e-mails to or what message you can send to them. They are open for
anonymous users as well as regular users.

By submitting special data, an attacker can escape these restrictions
and use someone else's PHP-Nuke installation to send HTML e-mails
to any recipient with any message that they like.

TECHNICAL DETAILS:

The fourth parameter to PHP's mail() function contains the additional
mail headers that PHP doesn't have a special parameter for. In this
case, it's used to add From and Reply-To headers. When PHP-Nuke
constructs the value for this parameter, it doesn't check the form
data it's using for CR and LF characters. As a result, an attacker
can supply extra mail headers and even an extra mail body, and they
will be included in the mail between the real headers and the real
body. This is done by simply including CR and LF characters in the
form data field that contains your e-mail address. If the attacker
includes an HTML message ending with a "<!--" tag or a
"<font color=3D'something'>" tag that sets the foreground colour to
the background colour, the real mail body will not be shown in
many programs.

COMMUNICATION WITH VENDOR:

I didn't contact the vendor, as Fransisco has a very bad track
record when it comes to replying to security reports.

MY "SECURITY HARDENING PACKAGE":

Instead I wrote an unofficial patch for this issue. I have patched
against version 6.0.

The patch simply replaces all CR and LF characters in the vulnerable
variables with spaces, and then the exploit doesn't work anymore.

// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se

"I saw the worst minds of my generation / getting their political
 information from tabloids / listening to Savage Garden's greatest
 hits / getting married and having kids at 25 just 'cause the
 neighbours did / and building the worst administrative web-based
 members interface ever known to man" (To B.)

----PTCP_7487f58400016407d2
Content-Type: TEXT/PLAIN;
        charset="us-ascii";
        name="php-nuke_mail_crlf.patch"
Content-Transfer-Encoding: base64
Content-ID: <Pine.LNX.4.21.0212201132210.28284@Tempo.Update.UU.SE>
Content-Description:
Content-Disposition: attachment;
        filename="php-nuke_mail_crlf.patch"

LS0tIGh0bWwvbWFpbmZpbGUucGhwLm9sZAlUaHUgRGVjIDE5IDE5OjE3OjEwIDIwMDINCisrKyBo
dG1sL21haW5maWxlLnBocAlUaHUgRGVjIDE5IDE5OjI0OjAwIDIwMDINCkBAIC04NzAsNCArODcw
LDEzIEBADQogICAgIHJldHVybigkVGhlbWVTZWwpOw0KIH0NCiANCi0/Pg0KXCBObyBuZXdsaW5l
IGF0IGVuZCBvZiBmaWxlDQorIw0KKyMgU2VjdXJpdHkgZml4DQorIyBVbGYgSGFybmhhbW1hciwg
VlNVIFNlY3VyaXR5IDIwMDINCisjDQorDQorZnVuY3Rpb24gcmVtb3ZlY3JsZigkc3RyKSB7DQor
ICAgIHJldHVybiBzdHJ0cigkc3RyLCAiXDAxNVwwMTIiLCAnICAnKTsNCit9DQorDQorPz4NCi0t
LSBodG1sL21vZHVsZXMvRmVlZGJhY2svaW5kZXgucGhwLm9sZAlUaHUgRGVjIDE5IDE5OjI2OjQ0
IDIwMDINCisrKyBodG1sL21vZHVsZXMvRmVlZGJhY2svaW5kZXgucGhwCVRodSBEZWMgMTkgMTk6
Mjg6MzQgMjAwMg0KQEAgLTY5LDYgKzY5LDggQEANCiAJJHNlbmQgPSAibm8iOw0KICAgICB9IA0K
ICAgICBpZiAoJHNlbmQgIT0gIm5vIikgew0KKwkkc2VuZGVyX25hbWUgPSByZW1vdmVjcmxmKCRz
ZW5kZXJfbmFtZSk7ICMgU2VjdXJpdHkgZml4DQorCSRzZW5kZXJfZW1haWwgPSByZW1vdmVjcmxm
KCRzZW5kZXJfZW1haWwpOw0KIAkkbXNnID0gIiRzaXRlbmFtZVxuXG4iOw0KIAkkbXNnIC49ICIi
Ll9TRU5ERVJOQU1FLiI6ICRzZW5kZXJfbmFtZVxuIjsNCiAJJG1zZyAuPSAiIi5fU0VOREVSRU1B
SUwuIjogJHNlbmRlcl9lbWFpbFxuIjsNCkBAIC05Myw0ICs5NSw0IEBADQogQ2xvc2VUYWJsZSgp
OyAgIA0KIGluY2x1ZGUoImZvb3Rlci5waHAiKTsNCiANCi0/Pg0KXCBObyBuZXdsaW5lIGF0IGVu
ZCBvZiBmaWxlDQorPz4NCi0tLSBodG1sL21vZHVsZXMvSm91cm5hbC9mcmllbmQucGhwLm9sZAlU
aHUgRGVjIDE5IDIxOjIzOjI3IDIwMDINCisrKyBodG1sL21vZHVsZXMvSm91cm5hbC9mcmllbmQu
cGhwCVRodSBEZWMgMTkgMjE6MjU6MjIgMjAwMg0KQEAgLTM4LDYgKzM4LDExIEBADQogbGlzdCAo
JGp0aXRsZSkgPSBzcWxfZmV0Y2hfcm93KCRyZXN1bHQsICRkYmkpOw0KIA0KIGlmICgkc2VuZCA9
PSAxKSB7DQorICAgICRmbmFtZSA9IHJlbW92ZWNybGYoJGZuYW1lKTsgIyBTZWN1cml0eSBmaXgN
CisgICAgJGZtYWlsID0gcmVtb3ZlY3JsZigkZm1haWwpOw0KKyAgICAkeW5hbWUgPSByZW1vdmVj
cmxmKCR5bmFtZSk7DQorICAgICR5bWFpbCA9IHJlbW92ZWNybGYoJHltYWlsKTsNCisNCiAgICAg
JHN1YmplY3QgPSAiIi5fSU5URVJFU1RJTkcuIiAkc2l0ZW5hbWUiOw0KICAgICAkbWVzc2FnZSA9
ICIiLl9IRUxMTy4iICRmbmFtZTpcblxuIi5fWU9VUkZSSUVORC4iICR5bmFtZSAiLl9DT05TSURF
UkVELiJcblxuXG4kanRpdGxlXG4iLl9VUkwuIjogJG51a2V1cmwvbW9kdWxlcy5waHA/bmFtZT0k
bW9kdWxlX25hbWUmZmlsZT1kaXNwbGF5JmppZD0kamlkXG5cblxuIi5fQVJFTU9SRS4iXG5cbi0t
LVxuJHNpdGVuYW1lXG4kbnVrZXVybCI7DQogICAgIG1haWwoJGZtYWlsLCAkc3ViamVjdCwgJG1l
c3NhZ2UsICJGcm9tOiBcIiR5bmFtZVwiIDwkeW1haWw+XG5YLU1haWxlcjogUEhQLyIgLiBwaHB2
ZXJzaW9uKCkpOw0KQEAgLTgyLDQgKzg3LDQgQEANCiANCiBqb3VybmFsZm9vdCgpOw0KIA0KLT8+
DQpcIE5vIG5ld2xpbmUgYXQgZW5kIG9mIGZpbGUNCis/Pg0KLS0tIGh0bWwvbW9kdWxlcy9OZXdz
L2ZyaWVuZC5waHAub2xkCVRodSBEZWMgMTkgMjA6MDU6NTMgMjAwMg0KKysrIGh0bWwvbW9kdWxl
cy9OZXdzL2ZyaWVuZC5waHAJVGh1IERlYyAxOSAyMDoxNjoyNCAyMDAyDQpAQCAtNTAsNiArNTAs
MTEgQEANCiBmdW5jdGlvbiBTZW5kU3RvcnkoJHNpZCwgJHluYW1lLCAkeW1haWwsICRmbmFtZSwg
JGZtYWlsKSB7DQogICAgIGdsb2JhbCAkc2l0ZW5hbWUsICRudWtldXJsLCAkcHJlZml4LCAkZGJp
LCAkbW9kdWxlX25hbWU7DQogDQorICAgICRmbmFtZSA9IHJlbW92ZWNybGYoJGZuYW1lKTsgIyBT
ZWN1cml0eSBmaXgNCisgICAgJGZtYWlsID0gcmVtb3ZlY3JsZigkZm1haWwpOw0KKyAgICAkeW5h
bWUgPSByZW1vdmVjcmxmKCR5bmFtZSk7DQorICAgICR5bWFpbCA9IHJlbW92ZWNybGYoJHltYWls
KTsNCisNCiAgICAgJHJlc3VsdDI9c3FsX3F1ZXJ5KCJzZWxlY3QgdGl0bGUsIHRpbWUsIHRvcGlj
IGZyb20gIi4kcHJlZml4LiJfc3RvcmllcyB3aGVyZSBzaWQ9JHNpZCIsICRkYmkpOw0KICAgICBs
aXN0KCR0aXRsZSwgJHRpbWUsICR0b3BpYykgPSBzcWxfZmV0Y2hfcm93KCRyZXN1bHQyLCAkZGJp
KTsNCiANCkBAIC05MCw0ICs5NSw0IEBADQogDQogfQ0KIA0KLT8+DQpcIE5vIG5ld2xpbmUgYXQg
ZW5kIG9mIGZpbGUNCis/Pg0KLS0tIGh0bWwvbW9kdWxlcy9SZWNvbW1lbmRfVXMvaW5kZXgucGhw
Lm9sZAlUaHUgRGVjIDE5IDIwOjAwOjQ1IDIwMDINCisrKyBodG1sL21vZHVsZXMvUmVjb21tZW5k
X1VzL2luZGV4LnBocAlUaHUgRGVjIDE5IDIwOjAyOjQ1IDIwMDINCkBAIC00NSw2ICs0NSw5IEBA
DQogDQogZnVuY3Rpb24gU2VuZFNpdGUoJHluYW1lLCAkeW1haWwsICRmbmFtZSwgJGZtYWlsKSB7
DQogICAgIGdsb2JhbCAkc2l0ZW5hbWUsICRzbG9nYW4sICRudWtldXJsLCAkbW9kdWxlX25hbWU7
DQorICAgICRmbWFpbCA9IHJlbW92ZWNybGYoJGZtYWlsKTsgIyBTZWN1cml0eSBmaXgNCisgICAg
JHluYW1lID0gcmVtb3ZlY3JsZigkeW5hbWUpOw0KKyAgICAkeW1haWwgPSByZW1vdmVjcmxmKCR5
bWFpbCk7DQogICAgICRzdWJqZWN0ID0gIiIuX0lOVFNJVEUuIiAkc2l0ZW5hbWUiOw0KICAgICAk
bWVzc2FnZSA9ICIiLl9IRUxMTy4iICRmbmFtZTpcblxuIi5fWU9VUkZSSUVORC4iICR5bmFtZSAi
Ll9PVVJTSVRFLiIgJHNpdGVuYW1lICIuX0lOVFNFTlQuIlxuXG5cbiIuX0ZTSVRFTkFNRS4iICRz
aXRlbmFtZVxuJHNsb2dhblxuIi5fRlNJVEVVUkwuIiAkbnVrZXVybFxuIjsNCiAgICAgbWFpbCgk
Zm1haWwsICRzdWJqZWN0LCAkbWVzc2FnZSwgIkZyb206IFwiJHluYW1lXCIgPCR5bWFpbD5cblgt
TWFpbGVyOiBQSFAvIiAuIHBocHZlcnNpb24oKSk7DQpAQCAtNzYsNCArNzksNCBAQA0KIA0KIH0N
CiANCi0/Pg0KXCBObyBuZXdsaW5lIGF0IGVuZCBvZiBmaWxlDQorPz4NCg==

----PTCP_7487f58400016407d2--

• Next message: please_reply_to_security@caldera.com: "[Full-Disclosure] Security Update: [CSSA-2002-059.0] Linux: multiple vulnerabilities in BIND (CERT CA-2002-31)"
• Previous message: Michal Zalewski: "[Full-Disclosure] [RAZOR] Problems with mkstemp()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages PHP-Nuke mail CRLF Injection vulnerabilities ... PHP-Nuke mail CRLF Injection vulnerabilities ... VENDOR: Fransisco Burzi et al. ... Instead I wrote an unofficial patch for this issue. ... (Bugtraq) [VulnWatch] PHP-Nuke mail CRLF Injection vulnerabilities ... PHP-Nuke mail CRLF Injection vulnerabilities ... VENDOR: Fransisco Burzi et al. ... Instead I wrote an unofficial patch for this issue. ... (VulnWatch) PHP-Nuke 7.4 Multiple XSS Vulnerabilities Patch ... To Patch your admin panel from this vulnerabilities hurricane you have to ... There are a lot of this problem in PHP-Nuke 7.4, ... (Bugtraq) [XSS] PHP-Nuke 7.4 Newsletter Injection Bug ... Title: Newsletter Injection Bug ... PHP-Nuke is a very bugged web CMS, ... XSS bug that permit to an attacker to post message in system newsletter. ... We can bypass the official php-nuke patch sending data ... (Bugtraq) [XSS] PHP-Nuke 7.4 AddMsg Bug ... Title: Addmsg Bug ... PHP-Nuke is a very bugged web CMS, ... XSS bug that permit to an attacker to post gloabal home-page messages. ... We can bypass the official php-nuke patch sending data ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint